Email Privacy

Is Email Really Secure and Private?

Email is insecure by default; it is no more secure than a postcard sent by lettermail. Although the University follows sound IT practices and due diligence to provide secure, private and reliable email services to its users, it comes down to individual users to exercise caution when using email to communicate confidential or sensitive matters.

The following discusses some potential risks of using email, as well as what users should and should not send.

Risks of Using Email to Share Sensitive Information

Email is perhaps the most common method to share information on campus. However, it also carries some risks, and it is important to consider these risks when deciding whether to send information to someone through email:

  • Misdirection - when an email is unintentionally sent to the wrong person. Learn how to minimize the risk of sending misdirected emails.
  • Interception - when an email is intercepted by hackers or government surveillance programs. Fortunately, any email sent through Gmail is encrypted for your protection. Learn more about encryption.
  • Mishandling by recipient - when the recipient of an email stores it inappropriately, copies it, and/or forwards it to others. As you have no control over how a recipient handles your email, use caution when sending personal or sensitive information.
  • Account vulnerabilities - these include a weak password and email phishing scams, both of which leave an email account vulnerable to external threats. Always set a strong password (eight to ten characters long) and never open suspicious emails.

For a further discussion about the risks of using email in the context of sending patient information, please see the OIPC Practice Note. Please also review the following infographic and document for additional general guidelines on email management.

Guidelines for Sending Emails

Avoid emailing:

  • medical records;
  • credit card numbers;
  • social insurance numbers;
  • sensitive employee records:
    • personnel files,
    • salary,
    • discipline records,
    • information related to a law enforcement investigation,
    • third-party business information submitted in confidence.

In general, it is acceptable to email:

  • date of birth (but avoid where possible);
  • moderately sensitive information:
    • grades,
    • CCIDs,
    • employee and student ID numbers,
    • personal contact information;
  • non-sensitive information:
    • publicly displayed University email addresses,
    • accounting chart of accounts,
    • anything available on the University's website.

Alternatives to Email: UAlberta Google Drive

The Information and Privacy Office (IPO) and the Chief Information Security Officer (CISO) have assessed UAlberta G Suite through a Privacy Impact Assessment and Security Review and have found that Google Drive has adequate privacy and security controls.

Google Drive is a secure and modern digital workspace that stores files encrypted in Google's cloud infrastructure and includes built-in information rights management (IRM), meaning files are kept private until the document owner decides to share them. As a result, Google Drive is a better option than email for sharing highly sensitive or confidential information. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.

Learn more information about the different sharing settings at the Google Drive Help Center.

Additional Alternatives for Sharing and Storing University Information

  • Encrypted attachment - one way to securely send personal or confidential information is through an encrypted attachment, which can only be read by the person with the decryption key, i.e., password. The password should be shared with the recipient over the phone or through another method that does not involve email. Review the MyCCID Password Tips for help choosing a strong password.
  • Shared network drive - if you wish to share a document containing personal information with a colleague in your office, consider whether you can save the personal information to a shared drive on your faculty, department or unit network. Then, simply email or tell your colleague the location in which you saved the document.
  • Fax - while faxing documents involves its own set of risks, this tends to be considered a more acceptable practice within the medical community than email. When faxing personal or confidential information, it is prudent to follow the guidelines set out in this publication: OIPC Guidelines on Facsimile Transmission
  • Non-electronic methods - sometimes, it will be most appropriate to use traditional methods of exchanging information, such as mail, courier, campus mail, hand delivery or a phone call.